cbcvebase.

Pyload-Ng Project Pyload-Ng vulnerabilities

46 known vulnerabilities affecting pyload-ng_project/pyload-ng.

Total CVEs
46
CISA KEV
0
Public exploits
4
Exploited in wild
1
Severity breakdown
CRITICAL8HIGH18MEDIUM19UNKNOWN1

Vulnerabilities

Page 3 of 3
CVE-2023-0488P4MEDIUMCVSS 5.4fixed in 0.5.0b3.dev422023-01-26
CVE-2023-0488 [MEDIUM] CWE-79 CVE-2023-0488: Cross-site Scripting (XSS) - Stored in GitHub repository pyload/pyload prior to 0.5.0b3.dev42. Cross-site Scripting (XSS) - Stored in GitHub repository pyload/pyload prior to 0.5.0b3.dev42.
ghsanvdosv
CVE-2024-24808P4MEDIUM≥ 0, < 0.5.0b3.dev792024-02-05
CVE-2024-24808 [MEDIUM] CWE-601 pyLoad open redirect vulnerability due to improper validation of the is_safe_url function pyLoad open redirect vulnerability due to improper validation of the is_safe_url function ### Summary Open redirect vulnerability due to incorrect validation of input values when redirecting users after login. ### Details pyload is validating URLs via the `get_redirect_url` function when redirecting users at login. The URL entered in the `next` variable goes through the `
ghsaosv
CVE-2026-40594P4MEDIUMCVSS 4.8fixed in 0.5.0b3.dev692026-04-21
CVE-2026-40594 [MEDIUM] CWE-346 CVE-2026-40594: pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted proxy, then mutates the global Flask configuration
ghsanvd
CVE-2023-0057P4MEDIUMCVSS 6.1fixed in 0.5.0b3.dev332023-01-05
CVE-2023-0057 [MEDIUM] CWE-1021 CVE-2023-0057: Improper Restriction of Rendered UI Layers or Frames in GitHub repository pyload/pyload prior to 0.5 Improper Restriction of Rendered UI Layers or Frames in GitHub repository pyload/pyload prior to 0.5.0b3.dev33.
ghsanvdosv
CVE-2023-0055P4MEDIUM≥ 0, < 0.5.0b3.dev322023-01-05
CVE-2023-0055 [MEDIUM] CWE-319 Pyload contains Sensitive Cookie in HTTPS Session Without 'Secure' Attribute Pyload contains Sensitive Cookie in HTTPS Session Without 'Secure' Attribute Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository pyload/pyload prior to 0.5.0b3.dev32. The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. This issue is patched in versio
ghsaosv
CVE-2024-47821P4HIGH≥ 0, < 0.5.0b3.dev872024-10-28
CVE-2024-47821 [HIGH] CWE-78 pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API ### Summary The folder `/.pyload/scripts` has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved. A file ca
ghsaosv